Crypto theft exceeded US$3.4 billion in 2025, with new data indicating a measurable shift in how attacks are conducted across the ecosystem.
The Stolen Funds chapter of Chainalysis’s 2026 Crypto Crime Report showed that more than US$3.4 billion in stolen funds between January and early December 2025. While this figure reflects continued security challenges, the underlying data points to notable changes in the composition and mechanics of crypto-related theft.
These shifts include increasingly severe breaches at centralised services, the expansion of personal wallet compromises, evolving patterns in DPRK-linked activity, and a divergence between decentralised finance (DeFi) hack volumes and overall market growth. A significant portion of the year’s losses stemmed from single high-impact events. The compromise of Bybit in March accounted for US$1.5 billion alone.
Although private key compromises at major exchanges and custodians remain relatively rare, their impact is substantial when they do occur. In Q1 2025, these types of incidents constituted 88% of all stolen value. Loss concentration has also intensified: the three largest hacks of the year represented 69% of total service losses, and the ratio between the largest and median incidents surpassed 1,000×, the highest level observed to date.
State-linked activity continues to be a defining element of the landscape. The Democratic People’s Republic of Korea (DPRK) was responsible for at least US$2.02 billion in stolen cryptocurrency in 2025, a 51% increase from 2024 despite a substantially lower number of confirmed incidents. DPRK-linked groups continue to target large centralised services and increasingly rely on infiltration via IT workers to obtain privileged access.
Their laundering patterns remain distinct from other criminal actors, characterised by smaller transfer brackets and a strong preference for Chinese-language money-moving networks, cross-chain bridges, mixing services, and specialised OTC platforms. A recurring 45-day laundering cycle, seen across multiple years, reflects a structured operational approach.
Personal wallet compromises increased significantly. Estimated incidents rose to 158,000 in 2025, nearly triple the 54,000 recorded in 2022. The number of identified victims doubled to more than 80,000. However, the total value stolen from individuals fell to US$713 million, down from US$1.5 billion in 2024, indicating that attackers targeted more users but extracted smaller amounts per victim. Network-level analysis shows that Ethereum and Tron have the highest theft rates per 100,000 active wallets, while Base and Solana present comparatively lower rates despite large user populations.
In contrast, DeFi-related theft showed a notable divergence. While total value locked (TVL) increased in 2024–2025, hack volumes did not rise in parallel. This departure from earlier patterns may reflect improved protocol security and a shift in attacker focus towards centralised services and individual users. The response to the September 2025 Venus Protocol incident illustrates advancements in incident detection and mitigation, with suspicious activity identified early, the protocol paused promptly, and affected funds ultimately recovered.
Overall, the 2025 findings indicate a more polarised threat environment: fewer but higher-severity breaches at centralised services, continued DPRK-linked operations, expanding personal wallet risks, and reduced relative impact on DeFi. These shifts provide important reference points for assessing security priorities in 2026.
Stay updated on crypto and AI by following our socials
